Filtered by vendor Incsub
Subscriptions
Total
15 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2021-36821 | 1 Incsub | 1 Forminator | 2024-06-04 | 6.1 Medium |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPMU DEV Forminator – Contact Form, Payment Form & Custom Form Builder allows Stored XSS.This issue affects Forminator – Contact Form, Payment Form & Custom Form Builder: from n/a through 1.14.11. | ||||
CVE-2023-6133 | 1 Incsub | 1 Forminator | 2023-11-30 | 4.9 Medium |
The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient blacklisting on the 'forminator_allowed_mime_types' function in versions up to, and including, 1.27.0. This makes it possible for authenticated attackers with administrator-level capabilities or above to upload arbitrary files on the affected site's server, but due to the htaccess configuration, remote code cannot be executed. | ||||
CVE-2023-5119 | 1 Incsub | 1 Forminator | 2023-11-27 | 4.8 Medium |
The Forminator WordPress plugin before 1.27.0 does not properly sanitize the redirect-url field in the form submission settings, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfiltered_html capability is disallowed (for example in a multisite setup). | ||||
CVE-2023-4596 | 1 Incsub | 1 Forminator | 2023-11-07 | 9.8 Critical |
The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after a file has been uploaded to the server in the upload_post_image() function in versions up to, and including, 1.24.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
CVE-2023-3134 | 1 Incsub | 1 Forminator | 2023-11-07 | 6.1 Medium |
The Forminator WordPress plugin before 1.24.4 does not properly escape values that are being reflected inside form fields that use pre-populated query parameters, which could lead to reflected XSS attacks. | ||||
CVE-2023-2010 | 1 Incsub | 1 Forminator | 2023-11-07 | 3.1 Low |
The Forminator WordPress plugin before 1.24.1 does not use an atomic operation to check whether a user has already voted, and then update that information. This leads to a Race Condition that may allow a single user to vote multiple times on a poll. | ||||
CVE-2023-1478 | 1 Incsub | 1 Hummingbird | 2023-11-07 | 9.8 Critical |
The Hummingbird WordPress plugin before 3.4.2 does not validate the generated file path for page cache files before writing them, leading to a path traversal vulnerability in the page cache module. | ||||
CVE-2021-4417 | 1 Incsub | 1 Forminator | 2023-11-07 | 4.3 Medium |
The Forminator – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.13.4. This is due to missing or incorrect nonce validation on the listen_for_saving_export_schedule() function. This makes it possible for unauthenticated attackers to export form submissions via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
CVE-2019-9567 | 1 Incsub | 1 Forminator | 2023-05-18 | 6.1 Medium |
The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has XSS via a custom input field of a poll. | ||||
CVE-2019-9568 | 1 Incsub | 1 Forminator | 2023-05-18 | 6.5 Medium |
The "Forminator Contact Form, Poll & Quiz Builder" plugin before 1.6 for WordPress has SQL Injection via the wp-admin/admin.php?page=forminator-entries entry[] parameter if the attacker has the delete permission. | ||||
CVE-2019-11872 | 1 Incsub | 1 Hustle | 2023-02-24 | 8.8 High |
The Hustle (aka wordpress-popup) plugin 6.0.7 for WordPress is vulnerable to CSV Injection as it allows for injecting malicious code into a pop-up window. Successful exploitation grants an attacker with a right to execute malicious code on the administrator's computer through Excel functions as the plugin does not sanitize the user's input and allows insertion of any text. | ||||
CVE-2022-0994 | 1 Incsub | 1 Hummingbird | 2022-04-27 | 4.8 Medium |
The Hummingbird WordPress plugin before 3.3.2 does not sanitise and escape the Config Name, which could allow high privilege users, such as admin to perform cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | ||||
CVE-2021-24700 | 1 Incsub | 1 Forminator | 2021-11-24 | 4.8 Medium |
The Forminator WordPress plugin before 1.15.4 does not sanitize and escape the email field label, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html is disallowed | ||||
CVE-2018-18576 | 1 Incsub | 1 Hustle | 2020-03-19 | 5.3 Medium |
The Hustle (aka wordpress-popup) plugin through 6.0.5 for WordPress allows Directory Traversal to obtain a directory listing via the views/admin/dashboard/ URI. | ||||
CVE-2015-9455 | 1 Incsub | 1 Buddypress-activity-plus | 2019-10-10 | 8.1 High |
The buddypress-activity-plus plugin before 1.6.2 for WordPress has CSRF with resultant directory traversal via the wp-admin/admin-ajax.php bpfb_photos[] parameter in a bpfb_remove_temp_images action. |
Page 1 of 1.